If you’re a WordPress user and you’re running any of these plugins, you’d better update them right away.

All vulnerabilities have been patched in new versions of each plugin. The various vulns can allow an attacker to use your website for phishing lures, to send SPAM, to make you an unwitting malware host, infect other sites (on a shared server), and more.

If you’re admin on a WordPress install, check to see that you have the following current versions of each affected plugin:

The most recent vulnerability is in mobile plugin WPTouch, allowing attackers to upload malicious PHP files or backdoors to the target server without needing admin privileges.

The security hole found by Sucuri on Monday — which is actually an error in WPTouch code — would allow an attacker to take over your site, or hijack your best-indexed pages before you discover you’ve been hacked.

During a routine audit for our WAF, we discovered a very dangerous vulnerability that could potentially allow a user with no administrative privileges, who was logged in (like a subscriber or an author), to upload PHP files to the target server.

Someone with bad intentions could upload PHP backdoors or other malicious malware and basically take over the site.

So to make a long story short, if you’re running WPtouch, then update immediately!

The researchers specified, “This disclosure only applies to 3.x versions of WPtouch. Administrators using 2.x and 1.x versions of the plugin will not be affected by the vulnerability.”

Sucuri also noted, “this vulnerability can only be triggered if your website allows guest users to register.”

In this case, the great thing is that we disclosed the vulnerability to the WPtouch team and they swiftly put a patch online to correct this issue (version 3.4.3 – WPtouch Changelog).

In order to correct this issue on your website, all you have to do is to update the plugin on your administration panel. And like we said before, you should do so ASAP.

The news follows a string of recent discoveries revealing a sizable number of exploits and vulns of serious concern to anyone running a WordPress installation — that also means anyone at your company, if you have departments doing PR or blogging on WordPress.

Update your plugins — or else

On July 1 the security team found a grave vulnerability in The MailPoet plugin, saying, “If you have this plugin activated on your website, the odds are not in your favor. An attacker can exploit this vulnerability without having any privileges/accounts on the target site.”

This bug should be taken seriously, it gives a potential intruder the power to do anything he wants on his victim’s website. It allows for any PHP file to be uploaded.

While it does not necessarily look that bad at first (yes, SERP rank loss is no good, but no one’s hurt at this point, right?), we also discovered this bug can be used with another vulnerability to execute malicious Javascript code on an administrator’s control panel.